| I agree with Bret here. The question is what do we do with mixed-level TLP. For example, the whole STIX document is TLP amber, but these elements are TLP red. While the TAXII server might pass or store the whole document, if someone with amber but not red access asks for the document, does the whole document fail? I would offer if the source took the effort to separately indicate amber vs. red, they mean to pass the amber stuff with their trusted TAXII server partner “doing the right thing” with the red elements.
Beating the supine equine, this is an example of critical content marking ;-)
A lot of these issues will be done in an implementation. Most of these are not really specification level items.
Use case #1: I send a STIX package to a TAXII Collection server. If that TAXII server does not know or understand the extensions you have included in your document, then more then likely they will be lost. You can test for this by submitting something, and then asking for it back.
Use case #2: You send a STIX package to a TAXII Collection or a TAXII Channel and you have some Level 2 data markings in the document. You probably do not want them going to people that can not understand them. So there may be a human built policy on the TAXII server to not send these packages or that content to people that can not use them. This would be an implementation level issue. DLP, proxies, layer7 firewalls, NAT devices, content filters, SSL viability devices, and a ton of other things sit in line today and modify content that flows over the wire based on organizational policy. Regardless of wether we like it or not, this will happen.
What we want to figure out in the specification is how to guarantee a certain behavior under certain conditions or how to identify and know what is going to happen.
Thanks,
Bret Bret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
Jason Keirstead wrote this message on Mon, Feb 01, 2016 at 15:49 -0400: What I mean is if I create a STIX document and push it to a TAXII server on
a channel, I expect anyone else subscribed to that channel should either
receive the document as I created it, or not receive it at all. I myself do
not think TAXII should be diving into the STIX and modifying the documents,
removing attributes from them.
My point is that STIX documents could be very large, , and I don't think it's good to think of them like that... More like a node in a graph w/ links (idref) to other nodes... Imagine if some vendors got together and made a tempoary extension to the
indicator property called "Risk" or something, but whenever a producer sent
it onto the wire, the TAXII server stripped it off. That value might be
useful for a consumer.. the TAXII server has no idea what values will be of
use to whom, it should not be stripping off a property just because it
doesn't recognize it.
I do agree that unknown properties should not be stripped from objects... All properties of an object MUST be passed, unchanged, through. John-Mark --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
|